Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
So, here's how online payment works in my country:
1. The selling website creates a hidden <form> and populates it with product ID, price and etc.
2. Some Javascript posts the mentioned form to the bank from the browser.
3. User enters credit info, and submits. If all is right, the bank creates another hidden <form>, and populates is with status code and an invoice ID.
4. Said form is then posted back to the selling website.
I don't know how the programmers behind this scenario call themselves programmers if they don't know basic things about server-side only verifications, but thanks to them I've been buying a lot of products for free these past years. 😂😂
How? 1. Just install Requestly, Tampermonkey and enable Chrome's dev tools.
2. Change price to zero, and the bank's response code to success.
3. Profit!
P. S. I have notified the people behind this, but they don't listen and go fix their codes. Oh well, serves them right.13 -
My current project at work: purchase verification, aka anti-fraud.
It's been two weeks, and my boss is flipping out because it isn't done. A robust anti-fraud solution. in two weeks. And he thought one week was a little much.
like, fucking really?
There are companies whose entire service is helping combat fraud. and he wants this done in a bloody week?
What makes me laugh through my tears of frustration is that the company that moved into the previous office? Yep, anti-fraud. Their entire business model is providing anti-fraud services to other businesses. They even tried selling him on it when they moved in. Bossman sales guy turned it around and sold my freaking desk out from under me instead.
But like. They're a small company: they had 9 people when they moved in, and were looking to add three more, so a total of 12 people. (I totally considered jumping ship, but their stack was too different.)
So. Bossman wants me to replace 9-12 people and their entire business in a fucking week. Yeah.
"Oh, but it's just sms verification" says he. What he also wants is the ability to flag users as fraudulent, have sticky verifications so they can't bypass them by backing out, have email checks as well as sms, have deferred verification to allow collecting required info (e.g. phone number), verification fallback, lockouts, manual admin whitelisting, admin blacklisting, and different rules per merchant and rule groups for affiliates to apply to all of their merchants, and of course the ability to customize those merchant/affiliate anti-fraud rules. But he shortens this gigantic list to "I want sms verification," despite actually asking for all of the above. I don't want to know about the mental gymnastics and/or blindfolding required to equate the two, but he's nuts.
Yeah.
All of that.
In a goddamn week.
And I get chewed out when it isn't done? Fuck off.
Go build me a goddamn 5m ft^2 castle out of basalt and marble using only your toothbrush and a rusty garden trowel, and have it done in a week. No outsourcing.
talk about ridiculous.5 -
this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.
2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.
The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:
1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck
3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/
4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"
-
Google simply can't knock off harrassing their users with security theatre.
A friend of mine has a small personal YouTube channel. He has recently been bombarded with several phone verification requests a week: "Verify it's you. To continue your session, complete a brief verification. This extra step helps us keep your account safe by making sure it’s really you. "
While frequent verifications may be understandable on YouTube channels with millions of subscribers, channels with only a few dozen subscribers are not attractive hacking targets. A verification would be justified before a potentially harmful action such as deleting videos or deleting a channel. But not for normal everyday use.
What's next? Will they ask users to "verify it's them" every ten minutes, "just for extra security"? Just to verify that it is "really, really, really, really, really" them?
It's not security. It's security theatre.
Sorry, Google, but users are not in the mood of doing a phone verification every other day.
Has this been Google's perverted wet dream all along?
1 -
!Rant #motivation #hugeProject
Yesterday i started a new app and i designed some of it but classes i coded will speed up the whole coding of other parts .
Anyways today i needed to work on the server side of the project and when i was working on setting up the databases structures i realized how big is this project (it uses like 3 APIs) so i was unmotivated because its a side project and it takes alot of time and overall it dont worth it and even app may fail or may be successful.
So i said i dont care about how it will turn out
Im gonna do it , and im gonna do it right now
So i did now its 6 am and the server part is almost finished ! 75% done .
It was a secure login system and signup with verifications and more security stuff and the codes that provide the server status and most of the user parts . And some of the features of the app .
The most hard thing remaining is to setup the in app purchases and the APIs .
So if you see a project that is huge .
Dont give up . Just do it as long as you can
And you will see how much you progress !
And the huge project will be a big project ;)
Then a normal project , then a tiny project :P
Good night1 -
Don’t you just love it when you’re hosting company decides to do a big change on their email sending policies that breaks a bunch of your apps you have written the depending on sending out emails to users for verifications etc.? And of course they did this with no prior notice. Not the way I wanted to spend my weekend updating certain parts of the domain records to allow this to happen.3
-
Recoding the malloc is a mess. It seems to be a very good exercise and it is. But you know there are so much mystical issues that happens when you're working with memory.
I just figured out that I got 90% of my free function calls by the "ls" command that was in reality a bad pointer following my own verifications.
So, I don't know why because I just make a normal vérification so except if the "ls" was developer with the ass... -
I just want to shoot myself. This happened to me today. I will replace the name of the person for privacy issues. i joined this company a week ago.
my question:
"hey [co worker name].
How can i install a tool on my sandbox. I'm not on the sudoers file. Have you used "ag", is awesome to search code and nicer than grep
https://github.com/ggreer/...
is actually available as a centos package in the repo.
the_silver_searcher.x86_64 : Super-fast text searching tool (ag)
but i don't have permission to install it
my co worker's response.
For that you would need first to create a presentation and show it to the team, explaining the benefits of that tool over what we have right now
That presentation you would show it to the team and from there we can do corrections and any other verifications in order to have a meeting with Jorge and DevOps to show them the presentation2 -
(Question/0.5Rant)
So I am working on a mixed API (aka reachable from anywhere, but also only accessible by specific allowed devices) and I am struggling with the security of it, its not managing anything hardcore (this API is "is the coffe ready?" kind of level) or I would have just enforced per device registration for example already, but the app that goes with that API is deployed remotely and has to be "ready to go!!!" out of the box, so I can't add any registration, verifications of devices etc.
The main thing I am afraid of is, that one of those agent retards will get his spaghetti phone blasted from the inside, so all the https calls will be read out by some random attacker, which then will be able to "abuse" the API via read out api-key, is there any way for me to have a rescue plan if one of those retards does get hacked and the system then get spammed or something, like if I log all devices that use the API I could just deny access from that device (until resolved) and issue a new app update via new api key.
What's the best way of handling this and is my idea really the only way to handle this? this shitfest is really causing shit ton of ideas in my head, which then I deny literally 20 seconds later, because there's a way to bypass it or once you have the old api key to get a new one by just monitoring it etc.5 -
Roblox seem to believe that you can actually send texts to landline phones. At least the landline is prefix is the only choice for phone verifications when living in the Åland Islands. I've brought this problem to Roblox's attention a year ago and they promised to fix it. Then I've reminded them a couple of times during the past year. Each time, they respond with stupid AI (Artificial Idiocy) generated answers, prompt me to send screenshots and once even screen captured videos. The follow-up answers I get just prove what I've been thinking for a year now, that Roblox don't give a shit about their users. Fuck it, it's a crappy platform anyway and I'm probably better off moving on to Unreal Engine.3
-
Need help with selecting a proper backend and website frameworks. After trying out a couple identity verification service providers we were dissapointed with their lack of support (takes weeks to do minimal changes).
So now we are having discussions about building in-house id verification system. We already have libraries for ios/android apps (ZOOM lib for face recognition and another lib for data extraction via OCR from document picture). So what we need is a proper backend and then a decent web framework with proper ux/ui design for our web/ios/android apps.
Currently thinking what kind of backend framework should we choose? Backend's main responsibility is for each client registered from website to assign an api key and to create a database/storage where his users would authenticate via clients app and upload a picture and a video.
Also wondering what kind of framework for website apps (main web app, dashboard app where we display pending verifications, and of course verification app) to choose. Should be go for angular?
Top Tags
Weekly Rant
View